Analysis
-
max time kernel
548s -
max time network
599s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-01-2025 14:26
General
-
Target
NURSULTAN.exe
-
Size
2.1MB
-
MD5
fd2d8d7d53e2bdd90497bb9b83d7f909
-
SHA1
df1750dd2309196a3595f6bc6c99386e562276c0
-
SHA256
98585e8fc301ec5becd9b995466c38981ac37102f917d52fba059261c4ae1647
-
SHA512
fbe80cc5f0c3c6d914cc02c27c99f993719399da04302397c6254d623437a2580b82694a33c597d5a761f6d47996ed30bd468da44607e792e7542955b6378160
-
SSDEEP
49152:lmqBYFzxwN2mF2mDY+FYFO954TOAghwA3fwQmJnc2+WAIZs0:cG2zxQD1mwAW/PFmpchWFB
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\j8tgFzwbmI.exe"C:\Users\Admin\AppData\Roaming\j8tgFzwbmI.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\wGBgyBukVQ.exe"C:\Users\Admin\AppData\Roaming\wGBgyBukVQ.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\exjz4ep0\exjz4ep0.cmdline"4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9673.tmp" "c:\Windows\System32\CSC3AD48ADE8C24C0494539BD51693B25.TMP"5⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\RuntimeBroker.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\SearchApp.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\System.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wGBgyBukVQ.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BSNp1sW5pR.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\MSBuild\SearchApp.exe"C:\Program Files\MSBuild\SearchApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 8042⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4148 -ip 41481⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\attachments\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\MSBuild\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Media Renderer\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Media Renderer\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wGBgyBukVQw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\wGBgyBukVQ.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wGBgyBukVQ" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\wGBgyBukVQ.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wGBgyBukVQw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\wGBgyBukVQ.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\MSBuild\SearchApp.exe"C:\Program Files\MSBuild\SearchApp.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5750e4be22a6fdadd7778a388198a9ee3
SHA18feb2054d8a3767833dd972535df54f0c3ab6648
SHA25626209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1
SHA512b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
166B
MD5e34e18ed8c524694361b5faa9f23e505
SHA105989711ed142d989bf6da02e5ab6d2872621412
SHA25695c778ab98721c3d52d62bd1397a2683c8e01f56e317b658057280470a8a06a4
SHA512afd0a4dcfaa47987fd529d67b92c0c149220878cab26259e58e112a48f392f1c6a4fa5a88f85fb10a24c42ad83e3b1a02228f32158ee711e08cb5bf4a415c525
-
Filesize
1KB
MD521e7758914e61134bfbc51aa9d7c62e9
SHA1951cf2df7cdb684f55055e5bf63f203121fd5f04
SHA25640070dedcd24ffd38cef99a30c006aa7cfbdd95d4e4348bef3d8f25ea8e65a4c
SHA5127625ff5ac43f4129b7d604874c2e5984835c8a9113d890963f3de2d365bc66ba3509bf3b643cdcf32980fed17cec6d276154bd7be8709d087c151447c3741501
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
18KB
MD5f3edff85de5fd002692d54a04bcb1c09
SHA14c844c5b0ee7cb230c9c28290d079143e00cb216
SHA256caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131
SHA512531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d
-
Filesize
1.8MB
MD5c3a59b9df64f75bb34d4a18a59f1a9d1
SHA193066e297fe1be0c228e40078443670d655b743d
SHA256a4e26cfb8ec5fd1e36f33d02f196f711bcedb06baa02b6b50e1c588845d948dc
SHA512d39fb4e7202c9e31abc1f4802f9b29a0db4d53d636bae7f5051ff64d082ed668a7f45cf8d22728cc8ed7dc785efb603e89b5cecb24fa92c7ac5d395282f6d307
-
Filesize
387B
MD595bc52becb3f13397f9d1e3c3e4d3964
SHA140ad8d7f7cc452eef49839a78fc8303b7f7ca3d9
SHA2566a52a699b046b1ec190b6f58dc3d2f83316048f78e0c22afb8ca49104edca578
SHA5124a5145f3ccd13595be37bbf9cfb0b9cc33c7fba2371e1f1076ea93f844a27f5f76faf981c958d9ffdc0b2ef8572b030709ddc3a729db1ff7b8b8f16e19dfe543
-
Filesize
235B
MD5cc0f9e11d079d284d22c4ca28dd17912
SHA124b34131eab34c8805ceed1fa26dd9abff1eb59b
SHA256d24ca017a638fd750283791b92718e08e1f97cf82f8df695893aae180c25f7a6
SHA5125587a33d0680a4fea61ec082cf57a2be5cd8ebaa2282b55be3b9402ff642108e5818771739d51d9c56e3db5f083d705ace9981f46780c067c9921871a44c04ea
-
Filesize
1KB
MD575e32610d8ef6143201c7c28465fcda9
SHA1b2bae99fade2dda07aecbe1659d184be0fc4e7a6
SHA25697ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b
SHA512b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
1.9MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
360KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
136KB